Loss Exceeding $26 Million: Analysis of Truebit Protocol Security Incident and Tracking of Stolen Funds Flow
On January 9, the Truebit Protocol suffered an attack resulting in a loss of 8,535.36 ETH (approximately $26.4 million) due to an exploit in a five-year-old unaudited and unopen-sourced contract. The attack involved a suspected arithmetic logic flaw, possibly due to integer truncation, in an unverified function (0xa0296215). The attacker repeatedly called this function with a minimal msg.value to mint a large number of TRU tokens, which were then burned to withdraw ETH from the contract’s reserves.
According to Beosin’s analysis, the stolen funds—totaling 8,535.36 ETH—were primarily transferred to two addresses: 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 (holding 4,267.09 ETH) and 0x273589ca3713e7becf42069f9fb3f0c164ce850a (holding 4,001 ETH). The attacker’s address (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) still retains 267.71 ETH. All related addresses have been flagged as high-risk by Beosin KYT.
The incident underscores the importance of security audits, contract upgrades, and incorporating emergency pause mechanisms and modern Solidity safety features to mitigate risks in legacy smart contracts.
marsbit01/09 10:46
